Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.
It only affects the Intel G33 series and newer.
Don't count on ioctl returning -errno; use errno directly.
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
We want to be able to use the bufmgr from multiple threads for GL, and thus
we need to protect the internal structures.
The pthread-stubs package is used so that programs not linked against
pthreads get weak symbols to stubs and don't eat most of the cost.
Allocate memory from different pools. This allows the OS to track memory
allocations for us, much like the linux memory debugging. This will ease
tracking down memory leaks since the OS can track the number of allocations
from each pool and help to point us in the right direction. Also replace
drm_alloc and friends with static __inline__ versions while we are here.
When using bufmgr_fake without DRM, the X server idles the ring whenever it
wants to wait for something to complete (brutal, but effective). In this
case, bufmgr_fake must treat the pending fence as having passed. However, it
wasn't recording the fences as it emitted them, nor cleaning buffers as they
passed.
Signed-off-by: Keith Packard <keithp@keithp.com>
We want to be able to use the bufmgr from multiple threads for GL, and thus
we need to protect the internal structures.
The pthread-stubs package is used so that programs not linked against
pthreads get weak symbols to stubs and don't eat most of the cost.
We don't explicitly check for error here and M_WAITOK will just put the
process to sleep waiting on resources to become available.
Suggested by John Baldwin
d_mmap gets called twice and we are only able to associate the file_priv
during the first call. The second call will return EBADF and we need to
assume that the call was succesful. d_mmap will not tolerate having an
error returned for the second call.
Dave Airlie
Matthias Hopf
Jakob Bornecrantz
Xiang, Haihao
Robert Noland
Keith Packard
Dave Airlie
Eric Anholt
Julien Cristau
Alex Deucher
Mihail Zenkov